This page provides a list of recommended secure configuration checks for Commvault systems, and is periodically updated. Commvault is a backup and recovery software suite built for enterprise organizations.
ID | System | Category | Configuration check |
K072F00M0100 | Commvault | Access Control | Idle session timeout |
K072F00M0105 | Commvault | Access Control | MediaAgent ports restricted |
K072F00MP110 | Commvault | Access Control | Null sessions disallowed |
K012F00M0115 | Commvault | Access Control | Session grace attempts |
K012F00M0120 | Commvault | Access Control | UNC shares have a dedicated user name and password |
K072F00M0125 | Commvault | Audit | Audit Log retention |
K072F00M0130 | Commvault | Audit | Centralized log server |
K072F0000135 | Commvault | Audit | Event types enabled for audit logging |
K072F00M0140 | Commvault | Audit | External syslog server redundancy |
K072F00M0145 | Commvault | Audit | Required Syslog servers |
K072F00M0150 | Commvault | Audit | Syslog protocol |
K072F00M0155 | Commvault | Audit | syslog status |
K072F00M0160 | Commvault | Authentication | Account lockout threshold |
K072F00MP165 | Commvault | Authentication | Authenticated user permissions |
K082F00M0170 | Commvault | Authentication | Central authentication server configuration |
K072F00M0175 | Commvault | Authentication | HTTP Proxy Authentication enabled |
K072F00M0180 | Commvault | Authentication | Identity Provider redundancy |
K072F00M0185 | Commvault | Authentication | Maximum password age |
K052F00M0190 | Commvault | Authentication | Minimum account lockout duration |
K052F00M0195 | Commvault | Authentication | Multi factor authentication disabled |
K052F00M0200 | Commvault | Authentication | Authentication code for new user |
K052F00M0205 | Commvault | Authentication | Non-default local users |
K052F00M0210 | Commvault | Authentication | Number of disallowed past passwords |
K052F00M0215 | Commvault | Authentication | Password Complexity level |
K052F00M0220 | Commvault | Authentication | Password vault used |
K052F00M0225 | Commvault | Authentication | RADIUS server disabled |
K052F0000230 | Commvault | Authentication | Rename SQL Server default sa account |
K052F00M0235 | Commvault | Authentication | SNMP authentication protocol |
K052F00MP240 | Commvault | Authentication | SNMP user authentication |
K072F00M0245 | Commvault | Authentication | SSO for third-party applications status |
K072F00M0250 | Commvault | Authentication | SSO status |
K072F00M0255 | Commvault | Authentication | Use Passphrase for zipped log files |
K072F00M0260 | Commvault | Authorization | Approved Admin users/groups |
K072F00M0265 | Commvault | Authorization | Everyone group removed |
K072F00M0270 | Commvault | Authorization | Root Squash disabled |
K072F00M0272 | Commvault | Authorization | Dual authorization |
K072F00M0275 | Commvault | Backup and Recovery | 3-2-1 rule |
K072F00M0280 | Commvault | Backup and Recovery | Active backup policy |
K072F0000285 | Commvault | Backup and Recovery | Archive recovery idle periods |
K072F00M0290 | Commvault | Backup and Recovery | Backup security status |
K072F00M0295 | Commvault | Backup and Recovery | Commvault Air Gap |
K092F00M0300 | Commvault | Backup and Recovery | Commvault Retention Lock |
K072F00M0305 | Commvault | Backup and Recovery | DR backup configuration |
K072F00M0310 | Commvault | Backup and Recovery | Offline / separated data copies |
K072F00M0315 | Commvault | Backup and Recovery | Replication groups status |
K072F00M0320 | Commvault | Backup and Recovery | Restore SAP backup without ID enabled |
K072F00M0325 | Commvault | Backup and Recovery | Snapshots enabled |
K072F00M0330 | Commvault | Backup and Recovery | Standby CommServe Host |
K132F00MP335 | Commvault | Backup and Recovery | Unprotected VM's discovered |
K132F00MP340 | Commvault | Backup and Recovery | WORM Storage Mode not in use |
K132F00MP345 | Commvault | Configuration Management | Approved AD servers |
K132F00MP350 | Commvault | Configuration Management | Approved DNS servers |
K132F00MP355 | Commvault | Configuration Management | Approved MediaAgent OS |
K132F00MP360 | Commvault | Configuration Management | Approved NTP servers |
K132F00MP365 | Commvault | Configuration Management | Approved Syslog servers |
K132F00MP370 | Commvault | Configuration Management | Data loss prevention disabled |
K132F000P375 | Commvault | Configuration Management | Data-Cube Configurations |
K132F00MP380 | Commvault | Configuration Management | Secure Erase disabled |
K072F00M0385 | Commvault | Configuration Management | Target Commvault version |
K072F00M0390 | Commvault | Encryption | Authorized Certificate issuer |
K072F00MP395 | Commvault | Encryption | AWS S3 Encryption |
K072F00M0400 | Commvault | Encryption | Client certificate encryption status |
K072F00M0405 | Commvault | Encryption | Client encryption |
K072F00M0410 | Commvault | Encryption | Client encryption cipher type |
K072F00M0415 | Commvault | Encryption | Client encryption flag |
K132F00M0420 | Commvault | Encryption | Client encryption key length |
K072F00M0425 | Commvault | Encryption | Commvault SSL session status |
K072F00M0430 | Commvault | Encryption | Data at-rest encryption |
K072F00M0435 | Commvault | Encryption | Data in-transit encryption |
K072F00M0440 | Commvault | Encryption | Enforce SHA256 digest for certificates |
K072F00M0445 | Commvault | Encryption | Cleartext HTTP access |
K072F00M0450 | Commvault | Encryption | KMS encryption key length |
K072F00M0455 | Commvault | Encryption | KMS encryption type |
K072F00M0460 | Commvault | Encryption | KMS server redundancy |
K152FI000465 | Commvault | Encryption | KMS servers configured |
K152FI0M0470 | Commvault | Encryption | LDAP SSL status |
K152FI000466 | Commvault | Encryption | Private key encryption disabled |
K152FI0M0471 | Commvault | Encryption | Secondary backup data encryption |
K152FI000467 | Commvault | Encryption | Secure Communication between console and ComServe |
K152FI0M0472 | Commvault | Encryption | Secure SSL Connection to Cassandra |
K152FI000468 | Commvault | Encryption | Secure SSL Connection to MySQL |
K152FI0M0473 | Commvault | Encryption | Secure syslog messaging (TLS) |
K152FI000469 | Commvault | Encryption | Secure transport mode for VMware |
K152FI0M0474 | Commvault | Encryption | Self-signed certificate not used |
K152FI000470 | Commvault | Encryption | TLS level |
K152FI0M0475 | Commvault | Encryption | Virtual Server iDA TLS |
K152FI000471 | Commvault | Encryption | Weak SNMP privacy algorithm used |
K072F00M0530 | Commvault | Encryption | Workflow SSL certificate validation |
K072F00M0535 | Commvault | Hardening | Change default SQL server instance name |
K072F00M0540 | Commvault | Hardening | Change the default MS-SQL service ports |
K072F00M0545 | Commvault | Hardening | Commcell console / web console relocated |
K072F00M0550 | Commvault | Hardening | Hide the SQL instance |
K072F00M0555 | Commvault | Hardening | SELinux enabled |
K072F00M0560 | Commvault | Malware Protection | Critical anomalous event reporting |
K072F00MP565 | Commvault | Malware Protection | File activity anomaly Alert |
K072F00M0570 | Commvault | Malware Protection | Infected file versions restore status |
K052F0000575 | Commvault | Malware Protection | Ransomware monitoring policy |
K072F00MP580 | Commvault | Malware Protection | Ransomware Protection |
K072F00M0585 | Commvault | Malware Protection | Ransomware Protection feature disabled |
K072F00M0590 | Commvault | Malware Protection | Ransomware Protection for a Disk Library on an NFS Share |
K072F00M0595 | Commvault | Malware Protection | Rate of change alert |
K072F0000600 | Commvault | Malware Protection | Write-protecting mount paths |
K072F00M0605 | Commvault | Monitoring | SMTP server configuration |
K072F00M0610 | Commvault | Services and Protocol | Approved SNMP trap destination |
K112F00M0615 | Commvault | Services and Protocol | Disable NETBIOS |
K072F00M0620 | Commvault | Services and Protocol | SNMP status |
... and more. |
NOTE: Additional security baseline checks should be performed against Commvault products such as Commvault Distributed Storage (CDS), Command Center, Commvault Orchestrate, Commvault Activate, Hedvig, Metallic, Hyperscale, Windows SNMP service, destination storage systems and other Commvault backup and recovery components.
Interested to learn about StorageGuard Security Posture Management for Commvault?
|
||
|
|
Comments
0 comments
Please sign in to leave a comment.